Journal of Homeland Security and 
Emergency Management 


Volume 2, Issue 3 2005 Article | 


Preventing the Next Terrorist Attack: The 
Theory and Practice of Homeland Security 
Information Systems 


Sam Nunn, /ndiana University Purdue University 
Indianapolis 


Recommended Citation: 

Nunn, Sam (2005) "Preventing the Next Terrorist Attack: The Theory and Practice of Homeland 
Security Information Systems," Journal of Homeland Security and Emergency Management: 
Vol. 2: Iss. 3, Article 1. 

DOI: 10.2202/1547-7355.1137 


©2005 by the authors. All rights reserved. 


Preventing the Next Terrorist Attack: The 
Theory and Practice of Homeland Security 
Information Systems 


Sam Nunn 


Abstract 


As with other endeavors, the promise of technology is no less bright for anti-terrorism, which 
is concerned with stopping terrorist acts before they occur. Based on the 20-20 hindsight of the 
9-11 Commission, many believe a combination of technologies and data bases can allow law 
enforcement and intelligence investigators to identify potential terrorist plots, use a multitude of 
data bases that contain hidden patterns of information about transactions needed to execute plots, 
and then mount pre-emptive strikes to stop their plans. Six types of systems cited as major tools in 
terrorism prevention are critically examined here: (1) regional emergency response networks; (2) 
the FBI DCS1000; (3) Echelon, an electronic interception system; (4) terrorism watch lists, (5) the 
multi-state anti-terrorism information exchange (MATRIX); and (6) the Terrorist Information 
Program (TIP). The systems are conceptualized as three types. Scanners constantly look for 
information generally or for a specific investigation. Watchers seek to know the location of 
individuals because they are persons of interest. Synthesizers attempt to interpret data from 
disparate sources to draw inferences about criminal plots before such schemes can be implemented 
by the conspirators. Findings suggest that the synthesizers hold the highest promise for prediction 
and prevention but generate the most strident opposition. 


KEYWORDS: Terrorism, watch lists, technology, data base 


Nunn: Preventing the Next Terrorist Attack: The Theory and Practice of 1 


“T never thought of anything I never knew before” 
Trout Fishing in America, “Big Trouble” (1994) 


Domestic anti-terrorism policies involve prevention and response. Prevention is 
preferable—with no events, there is no need for response. Examinations of the 9- 
11 attacks suggested the criminal justice and intelligence communities had 
information to stop the plot before execution, except it was in many data bases 
and largely unsynthesized (National Commission 2004; Posner 2004).  Post- 
mortem analyses suggested clues to terrorist plots are hidden in plain sight in 
decentralized data files, but that the proper application of information 
technologies to homeland security information systems (HSIS) can detect 
fragmented clues, assemble them as in a puzzle, then pinpoint and stop attacks. 
Basically, anti-terrorism is a story about crime prevention. 

But plugging crime prevention into the ‘war on terror’ rests categorically 
on a theoretical foundation of using information technology as a primary weapon. 
Evolving anti-terrorism information systems envision advanced data and text 
mining technologies, set loose to chew on available data bases containing credit 
card records, video rentals, material purchases, training rosters, emails, crime 
incidence reports, travel records, library usage, flight information, cell phone 
activity, field investigation reports, intelligence briefings, and so on. Law 
enforcement and intelligence officials believe that the criminal histories, the 
derived profiles, and the consumption/travel transaction patterns contained in 
these data bases can reveal incipient terrorist plots through the careful 
combination of information technologies, data mining, and data base systems 
(McCue, Stone, and Gooch 2003; Seifert 2004). These systems are comprised of 
(a) law enforcement sensitive information; (b) secret, national security data; (c) 
public records—so called ‘open source’ intelligence; and (d) records maintained 
by private firms. Technological systems are being implemented that provide 
coordinated access to these data bases, the ability to build monitoring and 
reporting data bases, and the capacity to develop in-bound and out-bound 
broadcasting and narrowcasting messaging using open internet and secure intranet 
channels to solicit public leads and tips about potential crimes from specific 
groups of citizens, professionals, and others. 

Will these systems improve U.S. capacity to prevent terrorist attacks? 
More information can mean better decisions, and U.S. law enforcement and 
intelligence agencies are most certainly generating massive amounts of 
information about potentially nefarious plots. But these systems will be effective 


2 JHSEM: Vol. 2 [2005], No. 3, Article 1 


only if the information is available within an appropriate time frame and decision 
making context. As will be shown here, information systems devoted to 
homeland security are many and varied, have different and not necessarily 
compatible operating objectives, are managed by different agencies, and often 
collect information outside the context of specific hypotheses about terrorist or 
criminal conspiracies. Further, the consumption and use of the outputs produced 
from these systems are complicated by the multi-tiered, compartmentalized, and 
decentralized structure of U.S. law enforcement. 

There is little critical analysis of HSIS and the data bases supporting them 
in the criminal justice literature. This paper analyzes several information systems 
proposed or underway that support HSIS objectives. In theory, the systems fall 
into one of three categories of surveillance: they scan, they watch, or they 
synthesize. Some HSIS are constructed to scan or trawl for information, 
communications, and data transmissions on a broad or sometimes very selective 
basis. Some are designed to alert law enforcement, customs, or aviation officials 
that certain specific individuals have been identified—they are watching for 
particular people. Others operate at a higher level, seeking to synthesize existing 
information from various sources in order to predict and interdict terrorist 
incidents. Six systems are examined here: (a) regional emergency response 
networks; (b) the FBI DCS1000, once known as Carnivore; (c) Echelon, an 
international electronic message interception system; (d) various terrorism watch 
list systems, (e) the multi-state anti-terrorism information exchange (MATRIX); 
and (f) the Terrorism Information Awareness (TIA) (aka Total Information 
Awareness). These systems promise increased preventive capacity, but do so 
within a policy vacuum that ignores issues of effectiveness, accountability, and 
privacy. Further, the systems most likely to predict embryonic terrorism events 
have in practice generated active, vocal political opposition and have been 
roundly rejected by elected officials, the public, and sometimes the law 
enforcement agencies that would use the systems. This analysis provides a 
critical examination of the design, implementation, and use of HSIS and the 
policy issues raised. 


Figuring out what to expect 


Despite popular conceptions, HSIS are not simply black boxes in which data are 
stored, and then retrieved in order to magically, diligently, or serendipitously 
uncover terrorist plots. There has to be some expectation of what’s coming. As 
in all cases involving information acquisition and analysis, data do not speak for 
themselves but can be understood best in the context of hypotheses. The 9-11 
Commission, in perfect reconstructive hindsight, identified instances when data 
were available that could have alerted law enforcement and intelligence agents 
about the pending plot, but the “failure of imagination” was the inability to 


Nunn: Preventing the Next Terrorist Attack: The Theory and Practice of 3 


foresee that combination of elements that brought down the planes, the twin 
towers, and part of the Pentagon (National Commission 2004). In short, to know 
how best to utilize HSIS components, analysts and investigators must know what 
to seek. Data mining programs will not simulate the use of gasoline tanker trucks 
as WMDs in a crowded downtown parade; investigators will need to anticipate 
what this kind of attack would require, and then scan and use available HSIS to 
see if the plausible data pieces are falling in place somewhere among a population 
of suspects. Prevention requires knowing what it is one is preventing. Yet, 
sophisticated systems proposing information technologies to do just that—predict 
attacks, then seek ways to stop them—have been firmly squashed by elected 
officials. 

Instead, most extant HSIS data bases are compilations of discrete bits of 
information stored in distinct silos—names and criminal histories, travel 
itineraries and records, biometric identifiers, property ownership, driving history, 
group memberships, credit card purchases, or lists of names. There are few 
systems—short of the creativity and intuition of individual investigators or their 
teams—that explicitly synthesize these data into plot-specific, preventive themes. 
Systems are proposed with the capabilities to do the type of data mining and 
synthetic analysis needed to predict attacks or perpetrators ahead of time, but have 
typically generated noisy political debate. Opponents foresee dire consequences 
for traditional civil liberties and personal privacy (Borin 2002; Hertzberg 2002; 
Winner 2002). At least one proposed system that was to be capable of doing 
predictive and preventive analysis, and in which substantial investment was made 
by the federal government during 2002 and 2003, was in fact terminated by the 
U.S. Congress due to public outcry about its potential abuse (DARPA 2003). 

The various information systems built into and envisioned for homeland 
security are more than just anti-terrorism measures. They also support disaster 
planning and emergency management. However, it’s clear that a major subset of 
data base and other software systems considered to be components of HSIS are in 
fact focused most closely on uncovering and preventing terrorist attacks. In this 
sense, data useful in identifying individuals who are known associates of terrorist 
actors or members of foreign terrorist organizations might not add much value to 
disaster planning, but do play a major role in anti-terrorism initiatives. That is the 
focus here: the subset of information systems seen as a first defense against 
terrorist attacks. These systems are conceptualized as a series of linked and 
unlinked data bases holding information about “individuals known or 
appropriately suspected to be or have been involved in activities constituting, in 
preparation for, in aid of, or related to terrorism’ (Memorandum of 
Understanding.... 2003, p. 1 of 8) and the software systems used to aggregate 
public and private sources of data about these individuals and their actions. Some 
of these systems are designed specifically for anti-terrorism homeland security 


4 JHSEM: Vol. 2 [2005], No. 3, Article 1 


functions, while others are designed for a variety of other functions serving law 
enforcement. Accordingly, these systems have different objectives: 


>» To identify individuals before they engage in an action (e.g., aviation 
screening, watch lists) 


> To accumulate information about individuals in both criminal and 
noncriminal contexts (e.g., credit card records, other private data bases, 
NCIC, local criminal histories) 


> To capture incriminating information in general or in the context of 
specific criminal investigations (e.g., Echelon, DCS1000) 


>» To synthesize data from many other data bases, then use this information 
to support the identification of individuals and plots (e.g., MATRIX, TIA) 


Homeland security information systems exhibit a mixture of functions, 
ranging from listings of people considered possible threats to combined 
software/data base systems that consolidate and aggregate various sources of 
criminal and other public data on specific individuals. Building from this, one 
way is to conceive of them as (a) data bases that simply identify and only briefly 
describe people, including possibly biometric information to determine if the 
individuals are indeed who they purport to be—that is, to establish positive 
identification; and (b) another set of data bases with deeper descriptions of the 
people and data sources needed to anticipate potential terrorist plots by 
determining if selected individuals have the criminal history, known associates, 
connections, resources, and transaction patterns that would be needed to execute 
the plots. 

By using these two broad kinds of data, the dream of HSIS is clear 
enough: to uncover terrorist plots before they can be executed. Thus, using 
various relational data base inquiry systems, 


the Department of Homeland Security, Department of Justice, FBI, and 
numerous state and local law enforcement agencies would have access to 
information analysis, using advanced data-mining techniques to reveal 
patterns of criminal behavior and detain suspected terrorists before 
they act (Stevens 2003, p. 3) (author’s emphasis) 


Embedded in this view is the idea that, as the tag line for television’s The X-Files 
suggests, the ‘truth is out there’ and that the proper application of data 
management tools to the mass of data collected about individuals and criminals 
can isolate and identify bad actors and the actions they plan. It is in this context 
that the 9-11 Commission (2004) report cites various instances in which data base 
systems were implicated in the failure to predict the attacks: 


Nunn: Preventing the Next Terrorist Attack: The Theory and Practice of 5 


Though two of the hijackers were on the U.S.TIPOFF terrorist watchlist, 
the FAA did not use TIPOFF data.... Even though several hijackers 
were selected for extra screening by the CAPPS system, this led only to 
greater scrutiny of their checked baggage (p. 14). 


Much of the public commentary about the 9/11 attacks has focused on 
"lost opportunities". Though characterized as problems of 
"watchlisting,"” "information sharing," or "connecting the dots," each 


of these labels is too narrow. They describe the symptoms, not the disease. 
(p. 21). 


If [the National Security Agency] had been asked to try to identify [several 
9-11 conspirators], the agency would have started by checking its own 
database of earlier information from these same sources. Some of this 
information had been reported; some had not. But it was all readily 
accessible in the database. NSA's analysts would promptly have 
discovered who Nawaf was, that his full name might be Nawaf al Hazmi, 
and that he was an old friend of Khalid. (p. 353) 


With this information and more that was available, managers could 
have...tracked the movement of these operatives in southeast Asia. With 
the name "Nawaf al Hazmi," a manager could then have asked the State 
Department also to check that name. State would promptly have found 
its own record on Nawaf al Hazmi, showing that he too had been issued a 
visa to visit the United States. Officials would have learned that the visa 
had been issued at the same place—Jeddah—and on almost the same day 
as the one given to Khalid al Mihdhar (p. 353). 


We found that as many as 15 of the 19 hijackers were potentially 
vulnerable to interception by border authorities. Analyzing their 
characteristic travel documents and travel patterns could have allowed 
authorities to intercept 4 to 15 hiackers and more effective use of 
information available in U.S. government databases could have 
identified up to 3 hijackers (p. 384). 

[author’s emphasis] 


There is an abiding policy emphasis on consolidating and coordinating 
anti-terrorism information systems (General Accounting Office 2003). This 
policy concern is underscored by the highly fragmented and decentralized system 
of data collection and retrieval that currently serves law enforcement and 
intelligence agencies. Changes are thought to be needed to pre-emptively thwart 
terrorist attacks. There are different and separate information systems in place 
that track foreign travelers, criminal histories, biographical information, biometric 
records, and other information about individuals. The challenge for anti-terrorism 


6 JHSEM: Vol. 2 [2005], No. 3, Article 1 


policies and programs is to have widespread geographical access to the right data 
base at the right time by the right people and agencies, and to have the capability 
to synthesize the information contained within the various files. These people can 
then engage in pre-emptive actions. Broadly speaking, systems are needed that 
include: 


1. Biographical and descriptive information about individuals capable of 
supporting positive identification 

Criminal histories 

Biometric data for purposes of positive identification 

Known associates, group memberships, and network ties 

Travel histories 

Current patterns of travel and associated purchases 

Synthesis of available information (e.g., intelligence briefings) 

Logs of incriminating information (e.g., including surveillance reports) 
Information from public sources (e.g., license plate numbers, property 
ownership, etc.) 


SO SOV Ee eS 


HSIS components can be sorted into three possible categories: scanners, 
watchers, and synthesizers. Scanners are technology systems that are constantly 
looking for information in a general sense or in the context of a specific 
investigation. Watchers are systems that seek to know the location or activities of 
specific individuals because they are persons of interest (e.g., terrorists or 
criminals). Synthesizers are systems that attempt to coordinate and interpret data 
from disparate sources in order to draw inferences and conclusions about criminal 
or terrorist plots, ideally before such schemes can be implemented by the 
conspirators. Proponents of HSIS believe that proper combinations of the three 
are needed for effective anti-terrorism programs. Table 1 offers a typology of 
these three types, and the examples of such systems that will be explored in this 
article. 


Nunn: Preventing the Next Terrorist Attack: The Theory and Practice of 7 


Table 1: Brief typology of homeland security information systems 


Type of 
nomen ; e Examples of technology or 
security Basic functions 
: . systems 
information 
system (HSIS) 
(a) Local terrorist information and 
Systems looking for general emergency alert networks, 
information or investigating 
Scanner specific individuals and cb) Echelon 
criminal conspiracies. (c) the FBI’s email monitoring system, 
DCS 1000 (aka Carnivore) 
Various watch lists (e.g., Consular 
Lookout and Support, TIPOFF, 
Systems seeking the location Interagency Border Inspection, No-fly 
Waichene or activities of specific list, Selectee list, National Automated 
individuals because they are Immigration Lookout, Automated 
considered potential terrorists. | Biometric Identification System, 
Warrant Information, Violent Gang and 
Terrorist Organization File) 
Systems that interpret data (a) Multi-State Anti-Terrorism 
from many sources to draw Information Exchange (MATRIX) 
Synthesizers inferences about current or (b) Defense Advanced Research 
future criminal or terrorist Projects Administration Terrorism 
plots. Information Awareness (TIA) program 


Scanning for data: standing monitoring 
systems and selective surveillance 


There are HSIS in place that are open scanning systems. They are largely 
indiscriminate, open-ended vacuum cleaners, sucking up all information possible 
from particular sources in the hope that meaningful intelligence can be created 
from a massive data sweep. Then there are more discriminating systems that 
place specific individuals or terrorist conspiracies under surveillance. By 
definition, the first type of HSIS is operated outside the context of any specific 
terrorist plot or identified terrorist actors; it is simply an open search for 
information that might be relevant for predicting future actions. In order for these 
systems to be effective, though, one needs a picture of the possible future 
action—a scenario to expect, and then repel. The second type of HSIS—selective 
scanning systems—is typically invoked as a function of an identified criminal 


8 JHSEM: Vol. 2 [2005], No. 3, Article 1 


investigation or conspiracy. This would include traditional phone wiretaps, and 
other systems that have evolved to intercept computer-based communications. 
The special characteristic of selective scanning systems is that they focus on an 
individual, a suspected crime, and are careful to indicate the time, place, and 
extent of the interpersonal information that can be monitored—they are 
‘minimized’ to certain situational characteristics. It is legitimate to question 
whether open or selective scanning does a better job in predicting and stopping 
criminal or terrorist plans. One system is designed to intercept information about 
plans in the absence of a specific theory of criminal conspiracy, and the other 
cannot be used without evidence establishing probable cause a crime is imminent. 

Three scanning systems considered here. Two are open scanning systems: 
(a) local terrorist information and emergency alert networks, and (b) the 
international electronic communications monitoring system known as Echelon. 
The other is a selective scanning system: (c) the FBI’s email monitoring system, 
DCS1000. These three systems move along a continuum from very broad to case- 
specific. Local alert networks are evolving in some U.S. metropolitan areas, and 
are designed to trawl for locally and regionally specific information about 
possible threats to critical infrastructure systems. Echelon is an international 
system, managed by intelligence organizations from five countries (United States, 
United Kingdom, Canada, Australia, and New Zealand), and has the capacity to 
intercept phone calls, email messages, Internet downloads, and_ satellite 
transmissions. According to published reports and official analyses, Echelon does 
so indiscriminately, searching for communications and messages that contain 
specified targeted words that conceivably raise warning flags about criminal acts 
(European Parliament 2001). The FBI’s DCS1000 system is the most focused 
system, and is used to intercept and log specified email traffic through an internet 
service provider, based on the issuance of a court-authorized wiretap order. It is 
the computer’s parallel to phone wiretaps. 


Local alert networks 


In 2002, the U.S. Department of Homeland Security (DHS) and the FBI began 
financing the design and implementation of regional information sharing 
networks. The first pilot project was the Dallas FBI Emergency Response 
Network (ERN), followed by subsequent DHS-funded projects in Atlanta, 
Indianapolis, and Seattle. These systems are all a mix of secure and open 
Internet-based communications forums. From one perspective, the ERNs are 
secure intranet communications and information sharing devices that link various 
groups representing critical infrastructure sectors by providing selective broad- 
and narrow-casting email and list server capabilities. In theory, this promotes 
information sharing among key actors and leaders across different sectors (e.g., 
law enforcement, government, banking, chemical industry, pharmaceutical 


Nunn: Preventing the Next Terrorist Attack: The Theory and Practice of 9 


industry, electrical power, etc.) by creating a communications platform. The 
Dallas ERN system has a major law enforcement presence in its web resources, 
including specific secure resources and list servers for police chiefs and sheriffs, 
bomb technicians, cyber crime investigators, joint terrorism task force, and 
working groups to deal with weapons of mass destruction. 

However, from a second perspective, and more relevant to HSIS terrorism 
prevention objectives, the ERN systems offer a way of reporting suspicious 
activities. In Dallas, the FBI Shield Program is essentially a neighborhood watch 
program for the region’s citizens to report activities they believe might presage 
the planning or conduct of terrorist attacks. After linking with the Shield icon, 
citizens are given access to a web-based data entry form (“FBI Dallas SHIELD 
Report’) that asks them to report particulars about activities they deemed to be 
suspicious: when and where it occurred, proximity to any specific places or 
landmarks that might be considered likely targets, aspects of the activity that 
made it unusual, and so forth. One must assume that the FBI somehow collates 
and prioritizes tips reported electronically, allocates investigative resources to 
selected public leads, and determines if leads have merits that should be pursued. 

The Indiana Alert Network directs reports of suspicious activity to the 
FBI’s “Tips and Public Leads” web-based entry screen, which does not note a 
specific geographic focus. Apart from this ‘tip’ program, official members of 
IAN receive regular email announcements containing news summaries tied to 
events affecting critical infrastructure, Federal Emergency Management 
Administration situation reports, and other information items that network 
gatekeepers deem to be useful to network members. The tedium of this 
information is often numbing. The FEMA reports are often nothing more than a 
recapitulation of national weather conditions. But a weekly electronic newsletter 
goes out to members, chronicling events occurring in critical infrastructure sectors 
(e.g., reported computer hacking attempts or vulnerabilities). The IAN system did 
not in 2005 fully identify gatekeepers associated with most of the critical 
infrastructure sectors. For instance, the gatekeepers for the chemical-HAZMAT 
sector enrolled a network of people who are interested in regular information 
about activities in that sector, and had the capability to send alerts through any 
kind of electronic notification (cell, pager, fax, email, phone, etc.). The 
gatekeepers were retired federal police officers working from inside the global 
security division of Eli Lilly and Co., the pharmaceuticals firm headquartered in 
Indianapolis. But there are no other gatekeepers individually identified among the 
other 15 critical infrastructure sectors identified in Indiana. For example, there is 
an “Education” sector, but IAN has no further information about reports from or 
about educational agencies, schools and, presumably, students. 

Evidently, the idea is for informed members of various sectors to report 
news of the sector to a gatekeeper, who would translate it into the newsletter. Is 


10 JHSEM: Vol. 2 [2005], No. 3, Article 1 


this the information that has to be scanned for potential plots or conspiracies? 
There is no guarantee that any single individual or agency is engaging in or 
offering an overview of the highly scattered infrastructure updates. It would be a 
virtual full-time job, trying to identify spatial, temporal, and physical patterns that 
might signify a catastrophic terrorist attack against any of the many soft targets in 
the U.S., and doing so in a way that can foreshadow or point to preventive action 
or interdiction. Without knowing what to expect, though, it’s hard to know what 
clues are even relevant. You cannot connect the clues because you don’t know 
the plot, but you can’t know the plot unless you figure out the clues. What is 
missing is an ‘attack hypothesis’ setting out what to expect to find in the data 
patterns. 

So, although DHS and the FBI have promoted ERN systems widely, their 
ultimate value in prediction and intervention efforts is questionable. Certainly, it 
is possible that web-based ‘snitch’ systems like the Shield Program might 
generate viable leads for law enforcement. But it is equally certain that these 
kinds of tips have a high false positive quotient that ties up law enforcement 
resources that might be used productively in other areas. As for the ‘critical 
infrastructure’ information items, they are by and large the open source news 
accounts of routine happenings in various industries such as the railroads, 
aviation, electrical utilities, or other industrial sectors (e.g., computer, 
pharmaceutical or chemical industries). It is an open question whether anyone is 
focused on these dizzyingly varied events in a way that increases the probability 
that hidden plots could be uncovered. Will one week’s story of dynamite stolen 
from a construction site be connected to another week’s story of lax security at an 
electrical generating station or of unknown persons taking photos of a dam? Yet 
it is just these types of reports that are included in ERN emailings, with no clear 
strategy in place directing someone to attempt to synthesize dozens and hundreds 
of random infrastructure occurrences. 


World-wide monitoring of electronic communications 


The number of messages communicated through an ERN to its members pales in 
comparison to the number of messages between individuals or agents of 
organizations that can be intercepted electronically. This is raw electronic data 
containing information that might be relevant for anti-terrorism. Another open 
scanning system collects this information. The Echelon system is a multi- 
national, cooperative intelligence endeavor used to intercept and monitor email, 
telephonic, and facsimile communications that use satellite links (European 
Parliament 2001). The international partners include the UK, the U.S., New 
Zealand, Australia, and Canada. Echelon reportedly uses computer systems 
known as “dictionaries” to screen electronic communications on the basis of 
selected key words of interest. The system dictionary uses a set of terms 


Nunn: Preventing the Next Terrorist Attack: The Theory and Practice of 11 


connected to terrorism, and then screens or flags communications exhibiting 
various usages of these terms. Some messages are subject to closer analysis. This 
interception activity takes place across ten secure listening post sites. Data so 
assembled are said to be shipped to the U.S. National Security Agency for 
processing, but its redistribution of the results of that processing is not itself a 
transparent process. One journalistic account of Echelon reported that one of its 
primary objectives is “tracking international terrorist groups or drug cartels” 
(Anderson and Cohn 1999). 

The Echelon system can be used to monitor communications for terrorist 
messaging, although the details of how this is done and to what end are largely 
unavailable from open sources. One example recounted by a former Canadian 
intelligence officer was a case in which a woman’s intercepted telephone 
conversation included an “ambiguous phrase” picked up by the terrorism 
dictionary, that resulted in her name and phone number being placed into a “data 
base of possible terrorists” (European Parliament 2001, p. 71). So, an open 
scanning system like Echelon has been used to help build watch lists, although as 
will be shown for the U.S., a task force of federal law enforcement and military 
agency representatives is the reported final arbiter for the inclusion and exclusion 
of names to various watch lists (Krouse 2004). 

The sheer magnitude of communications flowing through Echelon is 
immense. Anderson and Cohn (1999) report that Echelon was intercepting 
approximately 2 million messages per hour in 1999. The European Parliament 
report also explained the logistics of how a similar system is used by German 
intelligence agencies. There, 800,000 electronic communications to Germany 
occurred each day in 2000. Of those, the German monitoring system filtered 
about 10 percent for key words in various areas (e.g., nuclear proliferation, arms 
trade, etc.). The report goes on to say “the procedure has proved relatively 
unsuccessful in connection with terrorism and drug trafficking” (European 
Parliament 2001, p. 36). 

The broader question is whether the international Echelon system can be 
an effective way to identify and collate terrorist messages in a way that would 
permit pre-emptive initiatives by anti-terrorist units. The permutations of 
linkages and connections and languages contained in this volume of information 
is large. For example, 2 million messages/hour in a 24/7/365 operation generates 
a weekly rate of 336 million messages that could create potential patterns of 
communication. If 10 percent are screened in more detail, that’s 4.8 million 
additional daily messages examined by machine or human operators. These 
numbers will accumulate daily and weekly into a backlog of past-due and new 
work because all translations and close examinations of messages cannot be 
achieved at the same rate at which they were intercepted. At any given time, 
there will be a possibly vast backlog that has to be cleared and interpreted for 


12 JHSEM: Vol. 2 [2005], No. 3, Article 1 


clues. Computers can of course process these kinds of backlogs, but 
interpretation for prediction and prevention is nearly always a human 
decisionmaking process. Human interpreters will invariably get behind and real- 
time information will be scarce. 


Focused monitoring: FBI’s DCS1000 (aka, Carnivore) 


In contrast to open scanners like ERNs or Echelon, other scanning systems can be 
extremely focused and selective about the people, places, kinds and content of 
messages, information, and data that can be intercepted. Because massive 
amounts of interpersonal communications are now made using email systems, law 
enforcement has devised ways of monitoring email accounts in the same way that 
wiretaps have been used for decades, through changing communications 
technologies, to listen to telephone conversations and ‘bugs’ used to pick up face- 
to-face communications among criminal suspects. The FBI’s DCS1000 system 
(up until 2001 known as Carnivore) is a combination of hardware and software 
known as a packet sniffer, which essentially ‘sniffs’ out the email 
communications of targeted suspects (Tyson 2003). It is the technology necessary 
to identify patterns of email communications among individuals and record the 
substance of those communications. It requires someone intercepting, reading, 
and interpreting the emails within the context of a possible criminal conspiracy 
that has already been identified in previous affidavits seeking court-ordered 
wiretaps. These investigators are on the look-out for particular communications 
between individuals using specific devices, but the intercepted messages have to 
be judged by whether and how they’re relevant to the anticipated crime involved. 
In any event, probable cause that a crime has been or is about to be committed is 
established. Presumably, investigators are able to judge what their interceptions 
mean. 

According to official descriptions (Kerr 2000), use of the DCS1000 
system is triggered by actual or anticipated criminal activity. It requires a 
criminal investigation to be underway that is at least far enough along to acquire a 
wiretap order via a affidavit establishing probable cause. As with other wiretap 
orders, warrants must specify who is the target of the investigation, what crimes 
have occurred or might occur, the time period of DCS1000’s use, and other 
details normally included in wiretap orders. Monitoring computerized email 
communications means that the cooperation of internet service providers (ISP) is 
required because the FBI must place equipment and software on the ISP’s servers. 
The authorization to use and the operation of DCS1000 are similar to the 
procedures required to acquire wiretap orders from a court: the need to establish 
probable cause, the need to obtain permission of a service provider (an ISP, as 
opposed to a telecommunications service provider), the articulation of specific 
offenders and where their communications will be intercepted, and, presumably, 


Nunn: Preventing the Next Terrorist Attack: The Theory and Practice of 13 


the same minimization requirements (i.e., limiting the types of communications 
intercepted and reducing as far as possible the number of individuals authorized to 
read intercepted emails). DCS1000 varies in terms of monitoring only the ‘from 
and to’ addresses (that is, originating and receiving internet protocol addresses), 
incoming and outgoing messages, or a combination of both. Tracking to/from 
linkages is akin to operating a pen register on a telephone, except it is scanning 
computer email accounts. 

Although the use of DCS1000 could unveil theretofore unknown terrorist 
plots, it is more accurately a tool for ongoing investigations. In this sense, 
DCS1000 would not be particularly helpful in an exclusively predictive context 
because approval for its use (issued by a U.S. district court) is a function of 
“gathering hard evidence, not intelligence” (Kerr 2000, p. 2 of 5). However, 
wiretaps can reveal future plans of those monitored, as well as information about 
the targets and timing of crimes—either those offenses being monitored or others 
ancillary to the wiretap’s focused crime—and accordingly have some value for 
prediction and intervention. This would be the case for both phone wiretaps and 
email monitoring. 

Surprisingly, there are remarkably low numbers of officially reported 
wiretaps considering the large number of offenses and arrests. Email and 
computer wiretaps form an infinitesimal part in the overall wiretap picture. (This 
excludes the use of pen registers, which has a lower judicial standard than actually 
monitoring conversations through full wiretaps.) Contrary to the level of public 
attention levied on potential email monitoring by the FBI (Associated Press 2002; 
EPIC 2002), official reports indicate extremely limited use of DCS1000 or similar 
commercial software to intercept communications. For fiscal year 2002, there 
were five uses; eight instances were reported for the period October 1, 2002 
through September 30, 2003. At least three of these involved terrorist-related 
crimes (Federal Bureau of Investigation 2003). 

How does this compare to the officially reported universe of authorized 
wiretaps? It hardly compares to the more than 1,300 traditional wiretap orders 
issued in 2002 (Mecham 2003), along with the more than 1,700 wiretaps 
authorized under the Foreign Intelligence Surveillance Act (Moschella 2004). 
But then again, wiretaps are dwarfed by the number of index crimes known to the 
police (e.g., 11.9 million in 2002) or arrests (13.9 million in 2002). Wiretaps 
account for only a very small share of these arrests: 8,510 and 7,056 in 2000 and 
2001 respectively (Mecham 2003). (FISA wiretaps—which regularly outnumber 
routine wiretap orders—do not report arrest and conviction outputs, so this 
understates wiretap-generated arrests by the amount linked to FISA warrants.) In 
practice, wiretaps should be judged by their individual effectiveness in specific 
cases, but do not hold great promise as predictive and preventive devices in the 
war on terror. Nonetheless, it should be recognized that information from 


14 JHSEM: Vol. 2 [2005], No. 3, Article 1 


wiretaps has been obtained and used to uncover terrorist crimes, and has 
reportedly proven useful in stopping conspiracies before they can gain much 
steam. 


Looking for specific individuals: terrorist watch lists 


Scanning systems can help identify specific individuals possibly engaged in 
terrorist or other criminal acts, and to a certain extent show the how and what of 
communications among possible conspirators. But once they have been 
identified, such persons need to be located. This is the role of watching systems. 
A U.S. General Accounting Office (2003) analysis of terrorism watch lists 
identifies 12 different data base systems spread across nine federal agencies. The 
report classifies the following as terrorist watch lists (and federal department that 
sponsors it): 


1. Consular Lookout and Support (State) 

TIPOFF (State) 

Interagency Border Inspection (Treasury) 

No-fly list (Transportation) 

Selectee list (Transportation) 

National Automated Immigration Lookout (Justice) 
Automated Biometric (fingerprint) Identification System (Justice) 
Warrant Information (Justice) 

9. Violent Gang and Terrorist Organization File (Justice) 
10. Integrated Automated Fingerprint Identification (Justice) 
11. Interpol Terrorism Watch List (Justice) 

12. Top Ten Fugitive (Defense) 


(SOURCE: adapted from General Accounting Office 2003, Table 
1, p. 16) 


CorvOy Ore ot 


An interesting aspect of this list is its variety. It includes systems designed to 
monitor foreign visas and travelers as well as to compile criminal histories, 
identify known and latent fingerprints, establish travel patterns and international 
border crossings, check arrest warrants for an individual, subject their baggage 
and belongings to detailed searches, and know the true identity of aviation 
passengers. Importantly, no single system does all of these things at once. One 
of these components, the TIPOFF data base, which is to be consolidated into the 
Terrorist Identities Database (TID), was reported in spring 2004 as having 
120,000 names (Krouse 2004). This includes aliases and AKAs, so the 
approximate number of unique individuals in the data base was then about 81,000. 

By definition, watch list means that there are names on lists. But where do 
these names originate? How are the lists produced in the first place? The actual 


Nunn: Preventing the Next Terrorist Attack: The Theory and Practice of 15 


process is murky and closely held by the intelligence and law enforcement 
communities, but evidently consists of recommendations mostly from federal 
intelligence and law enforcement representatives, and occasional assistance from 
regional and local police agencies. In sum, names come from the judgment of 
intelligence analysts, federal law enforcement officials, intelligence agents, and 
sometimes police officers. The various joint terrorism task forces (JTTF) of the 
FBI play a key role in identifying individuals for possible inclusion. At the 
federal level, the plan in 2005 was to have a “Terrorism Screening Center” or a 
“Terrorism Threat Integration Center” that can coordinate lists. Representatives 
from the FBI, CIA, National Security Agency, Defense Intelligence Agency, 
Departments of Defense, Treasury, State, and Homeland Security nominate 
individuals to be in the newly formed TID (Krouse 2004). A rejection log of 
names nominated but not included was reportedly to be generated. The names 
included in the Consolidated Terrorist Screening Database, in whatever ways and 
from whichever agencies produce them, form the core of several different HSIS. 
These names are important because they are used to flag individuals who 
thereafter get special attention and monitoring, up to and including arrest. 

But lists are bound to have a lot of churn. Once particular lists are created, 
there are questions regarding how names are removed, or the circulation of certain 
lists stopped (Elliott 2004). A description of the FBI’s “Project Lookout,” 
implemented in late 2001, said it provided a “quickly developed watch list to 
scores of corporations around the country” (Davis 2002, p. 1) that was circulated 
for a period longer than its usefulness. Basically, selected companies representing 
sectors within the newly defined critical infrastructure industries (e.g., power, 
chemical pharmaceuticals, banking, credit, etc.) were given the lists. The FBI 
said it lost control of the data base because it was reproduced without changes and 
shared many times, producing 50 versions via the Internet. Various companies 
used the data—which were not updated—to screen employees, report transaction 
footprints, or for other uses, even if some names had been removed from later 
lists. Companies ultimately receiving the list included gambling casinos, car 
rental agencies, trucking companies and, presumably, hotel chains that used out- 
of-date lists. Project Lookout is a fascinating case study of how the lists of names 
took on a more alarming characterization as “suspected terrorists” rather than just 
individuals the FBI wanted to question. It is also a cautionary tale of how law 
enforcement sensitive information, once released from police agencies, can morph 
into inaccuracy and be used in highly inappropriate ways. Therefore, any watch 
list system has to be updated dynamically and quickly so that false positives or 
false negatives do not become chronic problems. 

Decentralized data bases such as those comprising current watch lists 
challenge coordination efforts. The GAO report charts in general terms the flow 
of information sharing among the systems, but does not note clearly that the 


16 JHSEM: Vol. 2 [2005], No. 3, Article 1 


different systems generally have different objectives that are unlikely to 
necessarily merge into an effective, coordinated watch list system. For example, 
the FBI’s Integrated Automated Fingerprint Identification System (IAFIS) is 
portrayed as a “terrorist watch list,’ even though its primary function is as the 
national repository of fingerprints for purposes of criminal background checks 
and identification. IAFIS is not designed specifically to catch terrorists, so much 
as to identify any set of fingerprints submitted for processing. Some of these 
include employee security checks from all over the nation, so identifying the 
fingerprints of a potential terrorist would only be a small part of the IAFIS job. 

To take another example, the aviation passenger screening system is 
considered a watch list, but as with aspects of most other HSIS, its components 
are not straightforward. In large part, FAA systems are designed to classify 
passengers into “no-fly” and “selectee” categories (Airport Security Report 2004). 
These are defined as separate watch lists. The Computer Assisted Passenger 
Profiling System (CAPPS) was developed largely in response to aircraft 
bombings, and helps identify individuals who should be put on a no-fly list as 
well as selecting individuals that deserve closer screening when going through 
passenger checkpoints. Several of the 9-11 hijackers were ‘selectees’ who were 
examined more closely than other passengers, but were nevertheless able to board 
with their weaponry because the weapons were within allowable standards at that 
time. The original CAPPS was to be replaced with CAPPS II, but that plan was 
scrapped in favor of a new system entitled Secure Flight (Wald and Schwartz 
2004; Airport Security Report 2004). To add potential confusion, passengers for 
domestic flights are screened by a different agency and through a different system 
than are passengers for international flights. The DHS Bureau of Customs and 
Border Protection (CBP) uses the Advance Passenger Information System (APIS) 
to screen international travelers, while the Transportation Safety Administration 
(TSA) is to use Secure Flight to examine domestic passengers. 

The use of different systems by different agencies is complicated further 
by the logistics of computerized passenger screening operations. Consider, for 
example, the APIS used by CBP. It requires air carriers arriving in or departing 
from the U.S. to submit a roster of passengers to APIS, which is then 


checked against the combined federal law enforcement database known as 
the Interagency Border Inspection System (IBIS) [which] includes data 
from the databases of CBP and 21 other federal agencies. Names are also 
checked against the FBI’s National Crime Information Center wanted 
persons database (U.S. Customs and Border Protection, 2004). 


Air carriers are required to submit the passenger manifest into APIS 15 minutes 
before a flight’s departure. This provides a relatively short period in which to run 
data base matches intended to find suspected terrorist operatives. Furthermore, 


Nunn: Preventing the Next Terrorist Attack: The Theory and Practice of 17 


the overall volume of names that must be screened is large and variable. In 2002, 
there were approximately 35.6 million passengers arriving from international 
locales, and about 33.7 million passengers departing from the U.S. for 
international airports (including Canadian travel) (U.S. Bureau of Transportation 
Statistics 2004, Tables 1-42 and 1-43). If these BTS figures are accurate and all 
passenger names are being screened, the average daily name check would be 
somewhere around 190,000 names. But the actual daily extremes are likely to 
cycle through highs and lows, so the APIS might have to check 300,000 or 5,000 
names in a day followed by lower and higher numbers in subsequent days. Of 
course, the names would flow in at different rates throughout the day, given flight 
schedules and the 15-minute reporting requirement, so peaks might be smoothed 
out to some extent. Nevertheless, this represents a sizeable inflow of names, and 
suggests the need for a system that can handle peak volumes smoothly. Among 
other things, it’s a matter of highly reliable communications channels that can 
carry the data transactions. This ignores the issue of how quickly aviation 
officials can react to any flagged records that would require stopping a flight or 
isolating an individual at an airport or on a plane. 

The CAPPS and its evolving new incarnation, Secure Flight, work in a 
similar way. Under CAPPS, the passenger name records are matched against 
selected watch lists. The volume of names input is smaller than for international 
flights. There were approximately 25.5 million domestic passengers departing 
U.S. airports in 2001 and 23.6 million in 2002. Average daily volume would 
therefore hover around 66,000 names to be checked. One difference ahead for 
Secure Flight is that, up to late 2004, the responsibility for running names against 
available watch lists rested with the airlines, not the TSA (Dizard 2004). 
However, the Secure Flight system will be operated by the TSA, relieving air 
carriers of the function, and enabling the use of the supposedly more 
comprehensive and secure Terrorism Screening Data Base that is to be built and 
maintained by the Terrorism Screening Center 

Because individual names fuel the entire watch list system, a major 
challenge associated with watch list effectiveness is the ‘name game.’ The 
primary ingredients of current anti-terrorism data base initiatives are the names 
and aliases of individual suspects—especially Arabic names. Accordingly, the 
ability of different systems to recognize widely varying spellings is important. 
One serious difficulty is that the spelling of Arabic names changes across 
different countries, to the extent that a single individual can have multiple 
spellings—all legitimate—that will confuse, bog-down, or outright fool name 
checking systems tied to watch lists. Authorities with watch list responsibilities 
in the U.S. have used language analysis software to re-structure name check 
protocols, but major challenges still remain (Milstein 2002; Davis 2003). 
Furthermore, the incidence of false positives—flagging names incorrectly or that 


18 JHSEM: Vol. 2 [2005], No. 3, Article 1 


should no longer be on a list—is a continual problem because of both the name- 
spelling problem and lax purging practices by the administrators of different 
watch lists (Davis 2003; Elliott 2004). 


Synthesizers that assemble the pieces: MATRIX and TIA 


The fragmented, partitioned nature of intelligence and law enforcement 
information, and associated decentralized data systems, are a well known 
phenomenon. Among other things, the 9-11 Commission recommended the 
reorganization of selected intelligence systems into a more coordinated structure. 
Certainly, this has been the case with terrorist watch lists, as noted above (General 
Accounting Office 2003). However, some critics of the commission’s 
recommendations argued that centralized control is not only a difficult objective 
to achieve in highly fragmented systems, but might also create different kinds of 
problems, bottlenecks, and barriers to information sharing (Posner 2004). 
Therefore, another approach that runs parallel to explicit combination of HSIS is 
the development of other data base and software systems that focus on the 
coordination, synthesis, and interpretation of information contained in many 
different systems. Two HSIS of this type are profiled: the Multi-State Anti- 
Terrorism Information Exchange (MATRIX) and the Defense Advanced Research 
Projects Administration (DARPA) Terrorism Information Awareness (TIA) 
program. These systems are interesting because both were conceived on 
relatively grandiose scales, but were substantially reduced on the run-up to 
implementation. In the case of MATRIX, although sixteen states (including 
Texas and California) originally enlisted in the system, only four states take part 
as of 2005. As for the TIA program, after some real budgetary investments in 
2002 and 2003, the U.S. Congress ordered its termination in the FY2005 DARPA 
budget. 


The MATRIX system 


What are the objectives of the MATRIX system? From one perspective, it is an 
information sharing system designed “to increase and enhance the exchange of 
sensitive terrorism and other criminal activity information between local, state, 
and federal law enforcement agencies” (www.matrix-at.org, accessed October 25, 
2004). A 2004 Congressional Research Service report (Krouse 2004a, p. 1) says 
that the MATRIX project “allows authorized investigators to share and analyze 
information that is already available to law enforcement from open public and 
state-owned data, without a subpoena or court order.” The description offered 
publicly by the DOJ, DHS, and the MATRIX administrator (the Institute for 
Intergovernmental Research, a nongovernmental organization based in 
Tallahassee, Florida) is that it uses various open and secure data bases to assemble 
information about suspects in a traditional law enforcement context. That is, it 


Nunn: Preventing the Next Terrorist Attack: The Theory and Practice of 19 


augments access to various states’ secure law enforcement data bases (e.g., 
criminal histories, warrants, etc.). In this respect, MATRIX is not particularly 
provocative or unusual, insofar as it is simply a tool to reduce the friction of 
information acquisition by police agencies. But MATRIX is also described as 
having a speculative and predictive element that can potentially help investigators 
prospectively identify individuals that have a high probability of being involved 
in terrorist plots. 


The initial software algorithms underlying MATRIX were explicitly 
predictive. The software that drives the MATRIX system was devised originally 
by a private entrepreneur, Hank Asher, who operated a commercial data 
aggregator and data mining company, Seisint, Inc. (Shnayerson 2004). Asher 
devised a software algorithm that offered the potential to identify possible 
terrorists in the U.S. This system was ultimately converted into the MATRIX, 
under the direction of the FBI. In late 2001 through 2002, Seisint used the 
various data bases included within its commercial databases (now largely 
included within the MATRIX umbrella) to calculate a “terrorism quotient” or 
score that produced a data base of 120,000 names. This was effectively a massive 
profiling effort. The profiles were based on inferences drawn from a handbook of 
terrorism, evidently something like the training manuals from al Qaeda and other 
terrorist organizations that have been found. Using the manual, designers figured 
out the likely behavior patterns that potential terrorist recruits would have if they 
used the manual’s guidance to live in relative obscurity, then apparently searched 
secure and open source data bases for individuals who fit such living patterns 
(Associated Press 2004). Among the highest scores in the terrorism quotient list, 
at least one of the 9-11 hijackers and five individuals under investigation for 
possible terrorist activities were included. One report indicated that on the basis 
of the Seisint, Inc., lists, “within two months of 9/11, more than 1,200 people had 
been detained....[and several arrests] were made within a week of the list’s 
disclosure” (Shnayerson 2004, p. 236). 

In its current guise, MATRIX uses a software tool called Factual Analysis 
Criminal Threat Solution (FACTS) to pour over public and law enforcement 
records in order to “solve critical crime problems by enabling law enforcement to 
take incomplete witness accounts and develop leads in seconds, versus manually 
intensive efforts traditionally requiring days, weeks, or months” (www.matrix- 
at.org, accessed October 20, 2004). The example used on the MATRIX website 
is of an investigator having a partial license plate number, which could then be 
plugged into FACTS to generate information attached to the number. This 
example is based on a Florida incident of road rage described in the spring 2004 
MATRIX newsletter. 

To perform this kind of action, the MATRIX system requires a data 
mining platform in order to assemble and synthesize information from data bases 


20 JHSEM: Vol. 2 [2005], No. 3, Article 1 


that are part of the system. The data base components are far-flung. According to 
its website, the following public record data sources are included in MATRIX 
(available at www.matrix-at.org, accessed October 20, 2004): 


1. FAA pilot licenses and aircraft ownership 
2. Property ownership 

3. Coast Guard registered vessels 

4. State sexual offenders lists 

5. Federal terrorists watch lists 

6. Corporation filings 

7. Uniform Commercial Code filings (i.e., UCCs or business liens) 
8. Bankruptcy filings 

9. State-issued professional licenses 


In addition to these public records, a variety of law enforcement data bases from 
some or all of their participating state members are included: 


1. Criminal history information 

2. Department of corrections information (and photo images) 
3. Sexual offender information 

4. Driver’s license information (and photo images) 

5. Motor vehicle registration information 


MATRIX makes it easier to use link analysis (software that identifies linkages 
among individuals via communications or shared criminal activities) and 
“transactional footprinting” (tracing the consumer transactions made by an 
individual) which has been a powerful tool to track identity theft or credit card 
fraud (Krouse 2004a). One description of the system notes that “when the 
identity of a criminal or felony suspect is typed into the electronic system, it 
provides a detailed report on arrests and convictions along with financial data 
such as real estate acquisitions and credit purchases of vehicles and other goods” 
(Crime Control Digest 2004, p. 2). It goes on to explain that MATRIX gives 
investigators the ability to track credit card purchases and investments, and is 
touted as an important tool in the fight against money laundering. 

Initially, 16 states agreed to be members of MATRIX. As of April 2005, 
only four states remained in the system: Connecticut, Florida, Ohio, and 
Pennsylvania. By August 2005, federal funding for MATRIX had been 
discontinued, the website was discontinued, and it appeared that only Florida 
remained interested in further system development. In the four states in which it 
last operated, MATRIX was part of a secure law enforcement information system 
called Regional Information Sharing Systems (RISS), which is a longstanding 
national system composed of six different regionally-specific secure law 
enforcement intranet systems (Middle Atlantic-Great Lakes Organized Crime 


Nunn: Preventing the Next Terrorist Attack: The Theory and Practice of 21 


Law Enforcement Network, Mid-States Organized Crime Information Center, 
New England State Police Information Network, Rocky Mountain Information 
Network, Regional Organized Crime Information Center, and Western States 
Information Network). Despite its connection to the 25-year old RISS network, 
MATRIX in its current form is unlikely to survive because information exchange 
is difficult when only three or four states actually participate. 


Terrorism information awareness 


The synthesis of information contained in disparate data bases in order to predict 
and ultimately prevent terrorist schemes achieves its zenith in the Terrorism 
Information Awareness initiative proposed by DARPA. Although funding for the 
TIA program was stopped during the federal FY2005 budgetary cycle, its basic 
structure and overlying objectives are likely to infuse future federal anti-terrorism 
data initiatives. Certain components of the initial TIA program are still under 
development—for example, the construction of terrorism scenarios and 
examination of the data transaction patterns attached thereto has continued 
(Lipton 2005). 

On its face, TIA was designed “to better detect, classify, and identify 
potential foreign terrorists [to understand] their plans [and increase] the 
probability that the United States can preempt adverse actions” (DARPA 2003a, 
p. 5-6). The TIA program was visualized as a comprehensive information 
management tool against terrorism, but its roll-out was attacked by public interest 
and civil liberties groups as a serious invasion of personal privacy (Harris 2002; 
Hertzberg 2002). Public criticism of TIA was also fueled by the appointment of 
its initial director, John Poindexter, who, while President Reagan’s national 
security advisor, had been convicted (but reversed later on technical grounds) of 
lying to Congress during the Iran-Contra scandal (Hertzberg 2002). Despite 
stopping federal funding, some components of the TIA program arguably retain 
some desirable functions, including the “Evidence Extraction and Link Discovery 
projects” that were comprised of nearly two-dozen data mining initiatives and the 
"Novel Intelligence from Massive Data effort" (DARPA 2003). These systems 
were in effect smart software programs that will continue to be developed with an 
eye toward improving the abilities of law enforcement investigators and 
intelligence officers to sift through many data bases. 

A crucial element of the TIA programs included a process by which 
terrorist attack scenarios would be developed by “red teams” of counter-terrorism 
experts. Then, these scenarios would be used to guide searches for the 
information and transaction patterns that would have to be created by terrorist 
actors in order to implement the plotted schemes. Once the various scenarios— 
referred to as ‘competing hypotheses’ by the TIA work plans—were created, they 
would be used to guide a broad-ranging scan of many different public and private 


22 JHSEM: Vol. 2 [2005], No. 3, Article 1 


data bases to uncover anticipated transactions. DARPA (2003, p. 14) notes that 
its “red teams” would 


determine the types of transactions that would have to be carried out to 
perform these activities. Examples of these transactions are the purchase 
of airlines tickets for travel to potential attack sites for reconnaissance 
purposes, payment for some kind of specialized training, or the purchase 
of materials fora bomb. These transactions would form a pattern that may 
be discernable in certain databases to which the U.S. Government would 
have lawful access....[It is] searching for patterns that are related to 
predicted terrorist activities. 


This scan of data bases would have to be joined with lists of potential or actual 
terrorist actors included in criminal history data bases or other watch lists. The 
search for information would be further augmented by the “red team” having 
already speculated about the kind of data, travel, materials, meetings, linkages, 
and purchases that would have to have occurred for a plot to be formulated. They 
would create, in effect, an information and transaction template on which to base 
a search of actual data bases. 


What’s this mean for U.S. anti-terrorism policies? 


The public policy implications of homeland security information systems are 
complex. On one hand, any policies that mandate the creation, review, and 
operation of data bases containing information about individual citizens elicit 
negative kneejerk reactions from varied groups across the political spectrum. 
Organizations as diverse as the American Civil Liberties Union, the Federation of 
American Scientists, the Electronic Privacy Information Center, and the Center 
for Democracy and Technology each decry the erosion of civil liberties and 
invasions of privacy embedded in huge national data bases that underpin HSIS 
operations. But on the other hand, law enforcement and intelligence agencies are 
roundly criticized for not drawing preventive inferences and investigative insights 
from existing data bases, and these agencies accordingly seek new, more 
sophisticated information technology tools to better exploit the information 
contained in these data bases. At the intersection of these two extremes, there are 
various operational concerns that should be underscored. 

In the first place, despite widespread efforts by U.S. political leadership to 
centralize and merge terrorist data base systems, there still appears to be a 
substantial partitioning of different data bases used by different agencies to 
describe suspected terrorist actors. As of August 2005, the Terrorist Threat 
Integration Center had still not fully coordinated or synthesized watch lists, either 
from the standpoint of producing them or consuming their informational outputs. 
Part of the issue here is the socio-bureaucratic structure of watch lists. Although 


Nunn: Preventing the Next Terrorist Attack: The Theory and Practice of 23 


the effort to coordinate them exists, they have different functions and goals, and 
they perform different duties for other members of the criminal justice or 
transportation systems. Essentially, the search for terrorists or terrorist plots only 
engages most of these systems on a part-time basis, and each of the HSIS 
continues to perform other non-terrorism related functions. Each of these systems 
could be doing a very good job on its own, but fail the larger objective of 
detecting terrorist plots or identifying criminal agents because the different HSIS 
systems do not necessarily ‘play’ well together. 

But even if the use of different HSIS is better coordinated, the dynamics of 
terrorist watch list operations—how names arrive on watch lists, how lists are 
used by different agencies, how names are removed—does not inspire confidence. 
Inaccurate watch lists will produce false negatives and false positives, and regular 
media accounts describe the recurring Kafkaesque passenger pre-screening 
experiences of individuals whose names are similar or identical to those on watch 
lists (Davis 2003; Swarns 2004; Elliot 2004). These anecdotal accounts are only 
the exposed tip of the largely invisible machinations of the terrorist watch list 
production process. 

The most important policy questions revolve around our capacity to 
anticipate terrorist events. Can anti-terrorism policies be designed to stop attacks 
that are put together in ways that we have not yet thought about (Posner 2004)? 
Answering this question means that the law enforcement community and elected 
officials must think more creatively about the extent to which the multitude of 
public and private data bases should be proactively mined to support anti- 
terrorism tactics. From one perspective, stopping terrorist events requires the 
forceful use of resources, such as data, to speculate on possible attacks and to then 
mount a counter-attack that will stop it before it’s initiated. In other words, as an 
anti-terrorism tool, data base management and use has to be developed 
aggressively to attack and stop determined opponents. 

One way of doing this is to use data to find out whether certain patterns of 
activities, movements, and purchases (documented in various data bases) are what 
one would expect if a terrorist plot was unfolding (e.g., joint travel, graduate of 
flight lessons, purchase of combustible biochemical products). Thus, our 
creativity in the development of potential terrorist scenarios is very important: we 
have to know what to expect, but more importantly, if a predictive element is to 
be added, we have to understand what its future data pattern would look like. 
Sophisticated data mining tools could be helpful, but like fingerprint 
identification, human judgment about how to respond to signs in the data is 
ultimately the most important tool: no more “failures of imagination” (National 
Commission 2004). Accordingly, new scenarios for terrorist attacks are actively 
developed as one means of proactive prevention (Lipton 2005). For instance, 
thefts of certain prescription or narcotic drugs—included in local, state, and 


24 JHSEM: Vol. 2 [2005], No. 3, Article 1 


federal data bases—might signify a pending chemical or biological attack. This is 
the kind of counterterrorism exercise proposed for HSIS synthesizers such as 
MATRIX and TIA. The systems are used to identify data signatures and 
footprints, then someone in an agency or task force must translate these data 
patterns into recognizable scenarios before any kind of early warning system can 
reliably exist. 

But from another perspective, informed by the crash diet in the list of 
states using the MATRIX system from 16 to four to one, and the vocal cessation 
of funding for the federal TIA program, the broader public apparently is not in the 
mood for systems designed to predict terrorist acts. Concerns about personal 
privacy, basic civil liberties, big brother, and domestic spying have trumped the 
use of major data bases for terroristic speculation, in large part because 
developing hypotheses about potential terrorist schemes does not meet the legal 
standard of establishing probable cause that a crime has or is about to occur 
before public authority can be used to fully reveal and then squelch the plot. This 
standard is unlikely to change in the U.S. The holy grail of HSIS development 
and operation is finding the proper balance between system effectiveness and the 
privacy of innocent civilians. We have not found the holy grail, but we are still 
searching. 


Nunn: Preventing the Next Terrorist Attack: The Theory and Practice of 25 


References 


Airport Security Report. 2004. “No-fly and selectee lists a limited cure for 
prescreening.” Airport Security Report 11(17). PBI Media, LLC. August 
25. Accessed October 13, 2004 through LexisNexis. 


Anderson, J. and D. Cohn. 1999. Shh! Uncle Sam is Listening. United Feature 
Syndicate. November 16. Accessed November 3, 2004 at www.fas.org. 


Associated Press. 2002. “FBI blunders on terror emails,” Wired News. May 29. 
Accessed June 1, 2002 at http://wired.com/news/. 


Borin, E. 2002. “Feds open ‘total’ tech spy system,” Wired News. August 7. 
Accessed August 8, 2002 at http://wired.com/news/. 


Crime Control Digest 2004. “New York, Wisconsin leave Matrix over costs; 
Connecticut waivers,” Vol. 38, No. 11. March 19. 


DARPA. 2003. Report to Congress Regarding the Terrorism Information 
Awareness Program. In response to Consolidated Appropriations 
Resolution, 2003, P.L. 108-7, Division M, 111(b). Defense Advanced 
Research Projects Agency. May 20. Accessed October 18, 2003 at 
http://www.globalsecurity.org/security/hotdocs.htm. 


DARPA. 2003a. Fact File: A Compendium of DARPA Programs. Defense 
Advanced Research Projects Agency. August. Accessed. November 8, 2004 
at http://www.darpa.mil/. 

Davis, A. 2002. “Post-Sept. 11 watch list acquires life of its own,” Wall Street 


Journal on Line. November 19. Accessed November 19, 2002 at 
http://online.wsj.com. 


Davis, A. 2003. “Why a ‘no fly list’ aimed at terrorists delays other,” Wall Street 
Journal on Line. April 22. Accessed April 22, 2003 at http://online.wsj.com. 


Dizard, HI, W.P. 2004. “TSA unveils new passenger prescreening program.” 
Newsbytes. _ Post-Newsweek Business Information, Inc. August 26. 
Accessed October 13, 2004, through LexisNexis. 


Elliott, C. 2004. “Getting off a security watch list is the hard part,” New York 
Times. November 2. Accessed November 4, 2002 at http://nytimes.com. 


EPIC. 2002. “FBI’s Carnivore system disrupted anti-terror investigation,” 
Electronic Privacy Information Center Press Release, May 28. Accessed 
November 25, 2003 at http://epic.org/privacy/carnivore 


European Parliament. 2001. Report on the existence of a global system for the 
interception of private and commercial communications (ECHELON 


26 JHSEM: Vol. 2 [2005], No. 3, Article 1 


interception system) (2001/2098(INI)), Final A5-0264/2001. July 11. 
Accessed November 3, 2004 at www.fas.org. 


Federal Bureau of Investigation. 2003. Carnivore/DCS-1000 Report to 
Congress. Submitted to Judiciary Committees of the U.S. House of 
Representatives and U.S. Senate. U.S. Department of Justice. December 18. 
Accessed February 4, 2005 at 
http://www.epic.org/privacy/carnivore/2003_report.pdf. 


General Accounting Office. 2003. Terrorist Watch Lists Should be Consolidated 
to Promote Better Integration and Sharing. United States General 
Accounting Office. GAO 03-322, Washington, D.C. April. 


Harris, S. 2002. ‘Tech insider: total information unawareness,” GovExec.com 
[Government Executive Magazine]. November 20. Accessed November 27, 
2002 at http://www.govexec.com/news/. 


Hertzberg, H. 2002. “Too much information,” The New Yorker. December 9, p. 
45-46. 


Kerr, D.M. 2000. “Internet and data interception capabilities developed by FBI.” 
Statement for the record of Donald M. Kerr, Assistant Director, Laboratory 
Division, Federal Bureau of Investigation, U.S. House of Representatives, 
The Committee on the Judiciary, Subcommittee on the Constitution, 
Washington, D.C. July 24. Accessed November 25, 2003 at 
http://www.fbi.gov/congress. 


Krouse, W.J. 2004. “Terrorist identification, screening, and tracking under 
homeland security presidential directive 6,” CRS Report for Congress, 
Congressional Research Service. The Library of Congress. Order code 
RL32366. April 21. 


Krouse, W.J. 2004a. “The Multi-state anti-terrorism information exchange 
(MATRIX) pilot project,” CRS Report for Congress, Congressional Research 
Service. The Library of Congress. Order code RL32536. August 18. 


Lipton, E. 2005. “Fictional doomsday team plays out scene after scene,” New 
York Times. March 26, Accessed March 26, 2005 at http://nytimes.com. 


McCue, C., E.S. Stone, & T.P. Gooch. 2003. “Data mining and value-added 
analysis,” FBI Law Enforcement Bulletin 72(11): 1-7. November. 


Mecham, R. 2003. 2002 Wiretap Report. Administrative Office of the United 
States Courts. Washington, D.C. Accessed November 13, 2004 at 
http://www.uscourts. gov/wiretap.html. 


Nunn: Preventing the Next Terrorist Attack: The Theory and Practice of 27 


Memorandum of understanding on the integration and use of screening 
information to protect against terrorism, 2003. Homeland Security 
Presidential Directive 6, September 16. Accessed October 29, 2004 at 
http://www. fas.org/irp/news/2003/09/tscmou.pdf. 


Milstein, S. 2002. “Taming the task of checking for terrorists’ names,” New York 
Times. December 30. Accessed December 30, 2002 at http://nytimes.com. 


Moschella, W.E. 2004. 2003 Foreign Intelligence Surveillance Annual Report. 
Office of Legislative Affairs. U.S. Department of Justice. April 30. 
Accessed January 4, 2005 at 
http://www.epic.org/privacy/terrorism/fisa/2003_report.pdf. 


National Commission on Terrorist Attacks Upon the United States. 2004. The 9- 
11 Commission Report: Final Report of the National Commission on 
Terrorist Attacks Upon the United States, Official Government Edition. New 
York. W.W. Norton & Co. 


Posner, R.A. 2004. “The 9-11 report: a dissent,” New York Times Book Review. 
August 29, p. . 


Seifert, J.W. 2004. “Data mining: an overview,” CRS Report for Congress, 
Congressional Research Service. The Library of Congress. Order code 
RL31798. May 3. 


Shnayerson, M. 2004. “The danger list,” Vanity Fair, p. 232-246, December. 


Stevens, G.M. 2003. “Privacy: total information awareness programs and 
related information access, collection, and protection laws,” CRS Report for 
Congress, Congressional Research Service. The Library of Congress. Order 
code RL31730. March 21. 


Swarns, R.L. 2004. “Senator? Terrorist? A watch list stops Kennedy at airport,” 
New York Times, August 20, p. Al. 


Tyson, J. 2003. “How Carnivore works.” Howstuffworks. Accessed November 
25, 2003 at http://howstuffworks.com/carnivore.htm. 


U.S. Customs and Border Protection. 2004. “Advance Passenger Information 
System Fact Sheet,” Accessed October 27, 2004 at http://www.cbp.gov. 


U.S. Bureau of Transportation Statistics. 2004. National Transportation 
Statistics 2003. Accessed October 27, 2004 at http:/Avww.bts.gov. 


Wald, M.L. & J. Schwartz. 2004. “Expansion sank terror screening program, 
officials say,” New York Times. September 19. Accessed September 22, 
2004 at http://nytimes.com. 


28 JHSEM: Vol. 2 [2005], No. 3, Article 1 


Winner, L. 2002. “Complexity, trust and terror,” Netfuture: A Publication of the 
Nature Institute. Issue 137, October 22. Accessed October 31, 2002 at 
http://www.netfuture.org. 


